xfrm: add generic iptfs defines and functionality

+1

include/net/xfrm.h

··· 38 38 #define XFRM_PROTO_COMP 108 39 39 #define XFRM_PROTO_IPIP 4 40 40 #define XFRM_PROTO_IPV6 41 41 + #define XFRM_PROTO_IPTFS IPPROTO_AGGFRAG 41 42 #define XFRM_PROTO_ROUTING IPPROTO_ROUTING 42 43 #define XFRM_PROTO_DSTOPTS IPPROTO_DSTOPTS 43 44

+2 -1

include/uapi/linux/ipsec.h

··· 14 14 IPSEC_MODE_ANY = 0, /* We do not support this for SA */ 15 15 IPSEC_MODE_TRANSPORT = 1, 16 16 IPSEC_MODE_TUNNEL = 2, 17 - IPSEC_MODE_BEET = 3 17 + IPSEC_MODE_BEET = 3, 18 + IPSEC_MODE_IPTFS = 4 18 19 }; 19 20 20 21 enum {

+2

include/uapi/linux/snmp.h

··· 339 339 LINUX_MIB_XFRMACQUIREERROR, /* XfrmAcquireError */ 340 340 LINUX_MIB_XFRMOUTSTATEDIRERROR, /* XfrmOutStateDirError */ 341 341 LINUX_MIB_XFRMINSTATEDIRERROR, /* XfrmInStateDirError */ 342 + LINUX_MIB_XFRMINIPTFSERROR, /* XfrmInIptfsError */ 343 + LINUX_MIB_XFRMOUTNOQSPACE, /* XfrmOutNoQueueSpace */ 342 344 __LINUX_MIB_XFRMMAX 343 345 }; 344 346

+2 -1

net/ipv4/esp4.c

··· 816 816 } 817 817 818 818 skb_pull_rcsum(skb, hlen); 819 - if (x->props.mode == XFRM_MODE_TUNNEL) 819 + if (x->props.mode == XFRM_MODE_TUNNEL || 820 + x->props.mode == XFRM_MODE_IPTFS) 820 821 skb_reset_transport_header(skb); 821 822 else 822 823 skb_set_transport_header(skb, -ihl);

+2 -1

net/ipv6/esp6.c

··· 859 859 skb_postpull_rcsum(skb, skb_network_header(skb), 860 860 skb_network_header_len(skb)); 861 861 skb_pull_rcsum(skb, hlen); 862 - if (x->props.mode == XFRM_MODE_TUNNEL) 862 + if (x->props.mode == XFRM_MODE_TUNNEL || 863 + x->props.mode == XFRM_MODE_IPTFS) 863 864 skb_reset_transport_header(skb); 864 865 else 865 866 skb_set_transport_header(skb, -hdr_len);

+2 -1

net/netfilter/nft_xfrm.c

··· 112 112 return true; 113 113 } 114 114 115 - return mode == XFRM_MODE_BEET || mode == XFRM_MODE_TUNNEL; 115 + return mode == XFRM_MODE_BEET || mode == XFRM_MODE_TUNNEL || 116 + mode == XFRM_MODE_IPTFS; 116 117 } 117 118 118 119 static void nft_xfrm_state_get_key(const struct nft_xfrm *priv,

+1

net/xfrm/xfrm_device.c

··· 69 69 static void xfrm_outer_mode_prep(struct xfrm_state *x, struct sk_buff *skb) 70 70 { 71 71 switch (x->outer_mode.encap) { 72 + case XFRM_MODE_IPTFS: 72 73 case XFRM_MODE_TUNNEL: 73 74 if (x->outer_mode.family == AF_INET) 74 75 return __xfrm_mode_tunnel_prep(x, skb,

+4

net/xfrm/xfrm_output.c

··· 677 677 678 678 return; 679 679 } 680 + if (x->outer_mode.encap == XFRM_MODE_IPTFS) { 681 + xo->inner_ipproto = IPPROTO_AGGFRAG; 682 + return; 683 + } 680 684 681 685 /* non-Tunnel Mode */ 682 686 if (!skb->encapsulation)

+6 -2

net/xfrm/xfrm_policy.c

··· 2497 2497 struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i]; 2498 2498 2499 2499 if (tmpl->mode == XFRM_MODE_TUNNEL || 2500 + tmpl->mode == XFRM_MODE_IPTFS || 2500 2501 tmpl->mode == XFRM_MODE_BEET) { 2501 2502 remote = &tmpl->id.daddr; 2502 2503 local = &tmpl->saddr; ··· 3295 3294 ok: 3296 3295 xfrm_pols_put(pols, drop_pols); 3297 3296 if (dst && dst->xfrm && 3298 - dst->xfrm->props.mode == XFRM_MODE_TUNNEL) 3297 + (dst->xfrm->props.mode == XFRM_MODE_TUNNEL || 3298 + dst->xfrm->props.mode == XFRM_MODE_IPTFS)) 3299 3299 dst->flags |= DST_XFRM_TUNNEL; 3300 3300 return dst; 3301 3301 ··· 4525 4523 switch (t->mode) { 4526 4524 case XFRM_MODE_TUNNEL: 4527 4525 case XFRM_MODE_BEET: 4526 + case XFRM_MODE_IPTFS: 4528 4527 if (xfrm_addr_equal(&t->id.daddr, &m->old_daddr, 4529 4528 m->old_family) && 4530 4529 xfrm_addr_equal(&t->saddr, &m->old_saddr, ··· 4568 4565 continue; 4569 4566 n++; 4570 4567 if (pol->xfrm_vec[i].mode != XFRM_MODE_TUNNEL && 4571 - pol->xfrm_vec[i].mode != XFRM_MODE_BEET) 4568 + pol->xfrm_vec[i].mode != XFRM_MODE_BEET && 4569 + pol->xfrm_vec[i].mode != XFRM_MODE_IPTFS) 4572 4570 continue; 4573 4571 /* update endpoints */ 4574 4572 memcpy(&pol->xfrm_vec[i].id.daddr, &mp->new_daddr,

+2

net/xfrm/xfrm_proc.c

··· 43 43 SNMP_MIB_ITEM("XfrmAcquireError", LINUX_MIB_XFRMACQUIREERROR), 44 44 SNMP_MIB_ITEM("XfrmOutStateDirError", LINUX_MIB_XFRMOUTSTATEDIRERROR), 45 45 SNMP_MIB_ITEM("XfrmInStateDirError", LINUX_MIB_XFRMINSTATEDIRERROR), 46 + SNMP_MIB_ITEM("XfrmInIptfsError", LINUX_MIB_XFRMINIPTFSERROR), 47 + SNMP_MIB_ITEM("XfrmOutNoQueueSpace", LINUX_MIB_XFRMOUTNOQSPACE), 46 48 SNMP_MIB_SENTINEL 47 49 }; 48 50

+12

net/xfrm/xfrm_state.c

··· 467 467 .flags = XFRM_MODE_FLAG_TUNNEL, 468 468 .family = AF_INET, 469 469 }, 470 + [XFRM_MODE_IPTFS] = { 471 + .encap = XFRM_MODE_IPTFS, 472 + .flags = XFRM_MODE_FLAG_TUNNEL, 473 + .family = AF_INET, 474 + }, 470 475 }; 471 476 472 477 static const struct xfrm_mode xfrm6_mode_map[XFRM_MODE_MAX] = { ··· 490 485 }, 491 486 [XFRM_MODE_TUNNEL] = { 492 487 .encap = XFRM_MODE_TUNNEL, 488 + .flags = XFRM_MODE_FLAG_TUNNEL, 489 + .family = AF_INET6, 490 + }, 491 + [XFRM_MODE_IPTFS] = { 492 + .encap = XFRM_MODE_IPTFS, 493 493 .flags = XFRM_MODE_FLAG_TUNNEL, 494 494 .family = AF_INET6, 495 495 }, ··· 2344 2334 #endif 2345 2335 case XFRM_MODE_TUNNEL: 2346 2336 case XFRM_MODE_BEET: 2337 + case XFRM_MODE_IPTFS: 2347 2338 return 4; 2348 2339 } 2349 2340 return 5; ··· 2371 2360 #endif 2372 2361 case XFRM_MODE_TUNNEL: 2373 2362 case XFRM_MODE_BEET: 2363 + case XFRM_MODE_IPTFS: 2374 2364 return 3; 2375 2365 } 2376 2366 return 4;

+12

net/xfrm/xfrm_user.c

··· 383 383 case XFRM_MODE_ROUTEOPTIMIZATION: 384 384 case XFRM_MODE_BEET: 385 385 break; 386 + case XFRM_MODE_IPTFS: 387 + if (p->id.proto != IPPROTO_ESP) { 388 + NL_SET_ERR_MSG(extack, "IP-TFS mode only supported with ESP"); 389 + goto out; 390 + } 391 + if (sa_dir == 0) { 392 + NL_SET_ERR_MSG(extack, "IP-TFS mode requires in or out direction attribute"); 393 + goto out; 394 + } 395 + break; 386 396 387 397 default: 388 398 NL_SET_ERR_MSG(extack, "Unsupported mode"); ··· 2023 2013 NL_SET_ERR_MSG(extack, "Mode in optional template not allowed in outbound policy"); 2024 2014 return -EINVAL; 2025 2015 } 2016 + break; 2017 + case XFRM_MODE_IPTFS: 2026 2018 break; 2027 2019 default: 2028 2020 if (ut[i].family != prev_family) {